Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Adel Yazdanmehr,Jingguo Wang

DOI: https://doi.org/10.1016/j.dss.2016.09.009

IF: 6.969

2016-01-01

Decision Support Systems

Abstract:This study explores the role of norms in employees' compliance with an organizational information security policy (ISP). Drawing upon norm activation theory, social norms theory, and ethical climate literature, we propose a model to examine how ISP-related personal norms are developed and then activated to affect employees' ISP compliance behavior. We collected our data through Amazon Mechanical Turk for hypothesis testing. The results show that ISP-related personal norms lead to ISP compliance behavior, and the effect is strengthened by ISP-related ascription of personal responsibility. Social norms related to ISP (including injunctive and subjective norms), awareness of consequences, and ascription of personal responsibility shape personal norms. Social norms related to ISP are the product of principle ethical climate in an organization.

Adel Yazdanmehr,Jingguo Wang,Zhiyong Yang

DOI: https://doi.org/10.1111/isj.12271

2020-01-01

Abstract:Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command-and-control and self-regulatory approaches on employee ISP compliance. However, how social influence at both individual and organizational levels impacts the effectiveness of these two approaches has not been adequately explored. This study proposes a social contingency model in which a rules-oriented ethical climate (employee perception of a rules-adherence environment) at the organizational level and susceptibility to interpersonal influence (employees observing common practices via peer interactions) at the individual level interact with both command-and-control and self-regulatory approaches to affect ISP compliance. Using employee survey data, we found that these two social influence factors weaken the effects of both command-and-control and self-regulatory approaches on ISP compliance. Theoretical and practical implications are also discussed.

Adel Yazdanmehr,Jingguo Wang

DOI: https://doi.org/10.1080/0960085X.2021.1980444

2021-09-23

European Journal of Information Systems

Abstract:Peers may help others avoid violating organisational information security policies (ISPs). This study explores how peer monitoring reduces employee ISP violation intention. We propose that peer monitoring discourages employees from violating ISP. Moreover, trust plays an important role. Trust not only facilitates peer monitoring, but also moderates the effect of peer monitoring on employee ISP violation intention. In addition, collective responsibility leads to peer monitoring. We test our research model with data from two waves of surveys of 254 employees in the United States conducted two weeks apart. We utilise four scenarios in the second wave of surveys capturing the dependent variable and measure all other constructs in the first wave of surveys. Our results suggest that peer monitoring decreases one's intention to violate ISPs. Furthermore, both collective responsibility and trust contribute to peer monitoring. Finally, trust amplifies the effect of peer monitoring on employees' intention to violate ISPs. We discuss the theoretical contributions and practical implications.

information science & library science,management,computer science, information systems

Hung-Pin Shih,Kee-hung Lai,Xitong Guo,T. C. E. Cheng

DOI: https://doi.org/10.4018/JGIM.294329

2021-01-01

Journal of Global Information Management

Abstract:Most theories of information security policy (ISP), except a few focused on the insider-centric view, are grounded in the control-centric perspective, and most ISP compliance models stem from Western countries. Regulatory focus theory (RFT) proposes two modes of motivational regulation, promotion, and prevention are supposed to motivate employee compliance in a trade-off. Culture is crucial to the study of ISP that puts control over human connections. Chinese guanxi, a specific dimension of Chinese culture, is better understood underlying the trust-distrust frame. To bridge the theoretical gap between the control-centric and the insider-centric perspectives, the authors develop an ISP behavioral model by taking an integrated approach from RFT and the trust-distrust frame. They employed scenario-based events about information security misconduct in the workplace to examine employees' compliance intention and non-violation choice of ISP upon counterfactual thinking. The empirical results improve the theoretical and practical implications of security practices.

Xue Yang,Wei T. Yue,Choon Lin Sia

DOI: https://doi.org/10.1007/978-3-642-29873-8_17

2012-01-01

Abstract:IS security policy is one of the essential tools to ensure the secure use of information systems and technological assets. To enhance the effectiveness of policy implementation, organizations rely on security training, education and awareness (STEA) programs to help employees understand the IS security issues of the organization. However, different levels of STEA informativeness may have conflicting effects on employees' compliance decisions. In addition, the urgency of a task may also lead employees to abandon the compliance decision occasionally. The existing corporate information security policy (ISP) could also serve as a deterrence message that would influence compliance decisions. An experimental survey was conducted to examine this phenomenon and test the related hypotheses. The results of this study can be used to inform and guide researchers and practitioners as to how to better enforce an IS security policy through better implementation of STEA programs and improved design of ISP in different task scenarios.

Chao-Min Chiu,Hsiang-Lan Cheng,Jack Shih-Chieh Hsu,Chiew Mei Tan,Chiung Hui Huang

DOI: https://doi.org/10.1080/10447318.2024.2422757

IF: 4.92

2024-11-20

International Journal of Human-Computer Interaction

Abstract:Drawing upon the attitude theory, this study theorizes that commitment affects loafing behaviors and ISP compliance. Further, drawing upon the transfer theory, this study adopts the concepts of loafing and commitment transfer in order to explore whether social loafing will enhance employee cyberloafing and whether organizational commitment can enhance ISP commitment, both of which, in turn, influence ISP compliance intention. This study utilized structural equation modeling (SEM) to analyze survey data collected in July 2023 from 361 Taiwanese individuals affiliated with organizations or companies. The results show that social loafing has a strong positive effect on cyberloafing, which, in turn, has a strong negative effect on ISP compliance intention. Organizational commitment has a strong positive effect on ISP commitment, which, in turn, has a strong positive effect on ISP compliance intention. In addition, distortion of consequences moderates the relationship between social loafing and cyberloafing. Advantageous comparison moderates the relationship between cyberloafing and ISP compliance intention.

computer science, cybernetics,ergonomics

Jie Zhen,Zongxiao Xie,Kunxiang Dong,Lin Chen

DOI: https://doi.org/10.1080/0144929X.2021.1921029

2021-05-05

Behaviour and Information Technology

Abstract:Security research on the role of employees' negative emotions in their information security policy (ISP) violations is limited. In this study, we examine how employees' negative emotions influence their intention to violate ISP. To understand how to reduce employees' negative emotions, we investigate the effects of perceived organisational support, psychological ownership, and work engagement. We test our hypotheses using survey data of 318 employees from various organisations in China. Results indicate that employees with negative emotions are more likely to violate ISP, while perceived organisational support, psychological ownership, and work engagement can reduce employees' negative emotions. Furthermore, psychological ownership and work engagement partially mediate the relationship between perceived organisational support and negative emotions. The theoretical and practical significance of these results and the direction of future research are discussed.

ergonomics,computer science, cybernetics

Maurizio Cavallari

DOI: https://doi.org/10.36941/ajis-2023-0151

2023-11-05

Academic Journal of Interdisciplinary Studies

Abstract:In the advanced field of Information and Communication Technology (ICT) within modern corporate frameworks, the pressing issue of non-compliance becomes increasingly crucial. Achieving the ideal balance—where one fosters consistent employee commitment without resorting to overly harsh penalties for possible violations—presents a complex problem. Such a nuanced relationship calls for a synchronized coordination among the company’s underlying factors, the principles of the Information Security Plan (ISP), and overarching compliance mandates. As companies step into a period where digital environments are in constant flux, the importance of securing information systems rises to a critical level. Against this backdrop, compliance stands out as a vital component, functioning as a stringent safeguard in the ongoing mission to protect precious digital assets—a mission comprehensively detailed within the ISP. This in-depth academic study sets out to rigorously explore and scrutinize the diverse opinions and beliefs of committed employees and insightful management concerning unwavering company alignment with the ISP. This is accomplished by defining a construct that centers on key dimensions: Organizational Culture, Personal Attitudes, Actors, Behavioral Intentions, and Motivational Dynamics. Eleven Hypotheses are outlined and represent the materialisation of the model. This model form a starting point from which future empirical exploration will be able to take place, propelling us towards a deeper understanding of the phenomena under scrutiny. Received: 15 September 2023 / Accepted: 23 October 2023 / Published: 5 November 2023

Xiaofeng Chen,Craig K. Tyran

DOI: https://doi.org/10.1080/08874417.2022.2161024

2023-01-01

Journal of Computer Information Systems

Abstract:Even though abundant research has been done on the factors that may impact employee information security policy (ISP) compliance intention, the results are mixed. To more fully capture the dimensions which may influence employee ISP compliance, this paper introduces a framework that is based on the synthesis of the theories of motivation and behavior. The framework was tested with survey data. Key findings of the study are 1) employee ISP compliance intention is influenced by factors involving four distinct dimensions of action: awareness, motivation, capability, and organizational culture; and 2) The factors from the capability and organizational culture dimension may significantly moderate the strength of the relationship between motivation and ISP compliance intention. The implications of the study regarding the theoretical and practical contributions of this study are discussed.

Ahmed Alkalbani,Hepu Deng,Booi Kam

DOI: https://doi.org/10.48550/arXiv.1606.00875

2016-05-28

Computers and Society

Abstract:The increase reliance on information systems has created unprecedented challenges for organizations to protect their critical information from different security threats that have direct consequences on the corporate liability, loss of credibility, and monetary damage. As a result, the security of information has become a top priority in many organizations. This study investigates the role of socio-organizational factors by drawing the insights from the organizational theory literature in the adoption of information security compliance in organizations. Based on the analysis of the survey data collected from 294 employees from different organizations, the study indicates management commitment, awareness and training, accountability, technology capability, technology compatibility, processes integration, and audit and monitoring have a significant positive impact on the adoption of information security compliance in organizations. The study contributes to the information security compliance research by exploring the criticality of socio-organizational factors at the organizational level for information security compliance.

Xiaofeng Chen,Liqiang Chen,Dazhong Wu

DOI: https://doi.org/10.1080/08874417.2016.1258679

2016-12-27

Journal of Computer Information Systems

Abstract:Information security policy (ISP) plays an important role in information security management in organizations. Past research investigated various factors that may impact employee behavior toward security policy compliance from the perspective of general deterrence theory (GDT), protection and motivation Theory (PMT), and rational choice theory (RCT). However, there is no unifying foundation/framework that examines all of those factors in a harmonic way so that the research findings can guide information security practices and research into the employee ISP compliance management context. Additionally, prior findings provided mixed results. This study proposes a research model based on the awareness-motivation-capability (AMC) framework, aiming to unify the factors to predict employee ISP compliance intention. We believe that a harmonic approach in managing employee ISP compliance can create optimal outcomes.

computer science, information systems

Marko Niemimaa

DOI: https://doi.org/10.1016/j.cose.2024.103986

IF: 5.105

2024-07-13

Computers & Security

Abstract:Information security policy (ISP) compliance is recognized as a key measure for dealing with human errors when protecting information. A considerable and growing body of literature has studied the persuasive, deterrent, and coercive antecedents of compliant and noncompliant behaviour. Simultaneously, research indicates that real life situations are too complex and varied to prescribe in terms of a priori rules of acceptable behaviour, and create situations where compliance is in fact harmful for achieving organisational security and business goals. Thus, regarding ISP compliance as inherently "correct" and noncompliance as inherently "incorrect", may contribute to creating problems that compliance research seeks to alleviate. In this research perspective, we argue that ISP compliance and noncompliance cannot be universally and invariably determined as "correct" or "incorrect" but that they become meaningful only when evaluated against organisational outcomes. We draw on organisational accident theorists to develop our arguments and propose a framework of rule-related information security behaviour (RISB) in order to conceptualize different types of ISP compliant and noncompliant behaviour and their organisational outcomes. Our research argues that compliance and noncompliance are nor inherently correct or incorrect and that making the judgement on the correctness of these actions requires considering the rule, the action, and the outcome.

computer science, information systems

Jiawen Zhu,Gengzhong Feng,Huigang Liang,Kwok-Leung Tsui

DOI: https://doi.org/10.17705/1jais.00794

2019-01-01

Abstract:This paper examines the underlying mechanisms through which paternalistic leadership (PL) motivates employees' information systems policy (ISP) compliance. We propose that the three dimensions of PL-authoritarian leadership (AL), benevolent leadership (BL), and moral leadership (ML)-influence employees' ISP compliance by affecting their perceptions of two information security control mechanisms: sanctions and the information security climate. Based on survey data from 760 participants, we found that the impact of AL is partially mediated by employees' perceptions of sanctions, the impact of BL is partially mediated by employees' perceptions of the information security climate, and the impact of ML is partially mediated by employees' perceptions of both sanctions and the information security climate. Our research extends the existing literature by exploring the impact of specific leadership styles on employees' perceptions of information security control mechanisms and by proposing that perceptions of information security control mechanisms play a mediating role between PL and ISP compliance. The findings suggest that in addition to choosing effective control mechanisms, it is also important for leaders to adjust their leadership style to ensure that employees perceive control mechanisms in the expected manner.

Ying Li,Ting Pan,Nan Zhang,Nan (Andy) Zhang

DOI: https://doi.org/10.1108/jeim-01-2019-0018

2019-09-23

Journal of Enterprise Information Management

Abstract:Purpose This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance. Design/methodology/approach Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model. Findings Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort. Practical implications The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills. Originality/value This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

information science & library science,management

Stacey R Kessler,Shani Pindek,Gary Kleinman,Stephanie A Andel,Paul E Spector

DOI: https://doi.org/10.1177/1460458219832048

2019-03-14

Health Informatics Journal

Abstract:Since 2009, over 176 million patients in the United States have been adversely impacted by data breaches affecting Health Insurance Portability and Accountability Act–covered institutions. While the popular press often attributes data breaches to external hackers, most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures. To change employee behavior, we borrow from the organizational climate literature and introduce the Information Security Climate Index, developed and validated using two pilot samples. In this study, four categories of healthcare professionals (certified nursing assistants, dentists, pharmacists, and physician assistants) were surveyed. Likert-type items were used to assess the Information Security Climate Index, information security motivation, and information security behaviors. Study results indicated that the Information Security Climate Index was related to better employee information security motivation and information security behaviors. In addition, there were observed differences between occupational groups with pharmacists reporting a more favorable climate and behaviors than physician assistants.

health care sciences & services,medical informatics

Kholekile L. Gwebu,Jing Wang

DOI: https://doi.org/10.1016/j.cose.2024.103891

IF: 5.105

2024-05-08

Computers & Security

Abstract:Data breaches have become a common occurrence with serious consequences, making organizational security management critically important. Nonetheless, the research community has not yet clearly defined the characteristics of a strong organizational security climate. This study conducts a comprehensive literature analysis to identify a collection of research-based and managerially relevant constructs that represent the essential components of a strong security climate. We operationalize the identified measures of the constructs and empirically validate them for reliability, construct validity, and nomological validity in terms of their relationships with employees' security awareness, neutralization, and intention to comply with organizational information security policies (ISPs). The results suggest that these integral elements, when embraced by organizations, discourage employees' use of neutralization to justify violation of ISPs and improve employees' security awareness and their ISP compliance intention. Organizations can use the identified subcomponents and their corresponding measures as a diagnostic decision support instrument to make a reliable and valid assessment of the strengths and weaknesses of their security climate, to continuously monitor their security climate, and to develop interventions that contribute to a strong security climate.

computer science, information systems

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

Xiaofeng Chen,Dazhong Wu,Liqiang Chen,Joe K. L. Teng

DOI: https://doi.org/10.1016/j.im.2018.05.011

IF: 10.328

2018-01-01

Information & Management

Abstract:Information security policy (ISP) plays a critical role in information systems security management. Past research using General Deterrence Theory (GDT) on employees’ compliance intention (CI) with ISP produced mixed results. We use survey data to investigate how other factors influence the relationship between sanction severity and employees’ CI. The results show that none of the investigated moderating variables interacts with sanction severity on employees’ ISP compliance intentions. However, the significant impact of sanction severity on employees’ ISP CI disappears when the investigated variables are included, and the impact of sanction severity is mediated by perceived efficacy and descriptive norm.

Kuang-Ming Kuo,Paul C. Talley,Dyi-Yih Michael Lin

DOI: https://doi.org/10.1177/00469580211029599

2021-01-01

Abstract:Information security has come to the forefront as an organizational priority since information systems are considered as some of the most important assets for achieving competitive advantages. Despite huge capital expenditures devoted to information security, the occurrence of security breaches is still very much on the rise. More studies are thus required to inform organizations with a better insight on how to adequately promote information security. To address this issue, this study investigates important factors influencing hospital staff’s adherence to Information Security Policy (ISP). Deterrence theory is adopted as the theoretical underpinning, in which punishment severity and punishment certainty are recognized as the most significant predictors of ISP adherence. Further, this study attempts to identify the antecedents of punishment severity and punishment certainty by drawing from upper echelon theory and well-acknowledged international standards of IS security practices. A survey approach was used to collect 299 valid responses from a large Taiwanese healthcare system, and hypotheses were tested by applying partial least squares-based structural equation modeling. Our empirical results show that Security Education, Training, and Awareness (SETA) programs, combined with internal auditing effectiveness are significant predictors of punishment severity and punishment certainty, while top management support is not. Further, punishment severity and punishment certainty are significant predictors of hospital staff’s ISP adherence intention. Our study highlights the importance of SETA programs and internal auditing for reinforcing hospital staff’s perceptions on punishment concerning ISP violation, hospitals can thus propose better internal strategies to improve their staff’s ISP compliance intention accordingly.